On 3/17/20 3:50 PM, Mark Thomas wrote:
The XXS might be valid. I assume the tool provided a sample URL you
could use to validate the finding. That should point you in the right
direction but feel free to ask here if more help is required.
Near as I can tell, it did but it didn't provide a sample URL.
Note that *all* I have is a PDF of the report, and I think the URL may
have gotten mangled by spanning a page-break. I've posted a screenshot
(with identifying information redacted) of what I'm looking at in the
report:
https://www.flickr.com/gp/64159238@N03/02i78o
****
As to DELETE and OPTIONS, you get no argument from me about whether a
DELETE will actually *do* anything (I've got a query out to our web
developer on that), and on restricting OPTIONS being a case of "Security
by obscurity"; however, this is a case of "The Customer is Always Right."
I found a page on disabling HTTP methods with a security constraint:
https://www.techstacks.com/howto/disable-http-methods-in-tomcat.html
But I'm not sure (1) how security constraints interact with other
security constraints, and (2) whether they can go in the conf/web.xml as
well as individual webapps' web.xml files.
As I said, I've got a query out to our web developers about *our*
webapp, but does Manager make any use of DELETE or OPTIONS?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
